{"data":{"id":"44403932-937b-4a55-aee9-3e7628aa478b","title":"GHSA-6fw7-3q8r-m5vj: FlowiseAI has Mass Assignment in Variable Update Endpoint that Allows Cross-Workspace Resource Reassignment","summary":"FlowiseAI has a mass assignment vulnerability (a flaw where an application accepts unintended user input to modify server-controlled data) in its variable update endpoint that lets authenticated users change internal fields like workspaceId, createdDate, and updatedDate. Because the server doesn't properly validate or check permissions, attackers can reassign variables to different workspaces, potentially breaking tenant isolation (the separation that keeps different organizations' data separate in shared systems).","solution":"N/A -- no mitigation discussed in source.","labels":["security"],"sourceUrl":"https://github.com/advisories/GHSA-6fw7-3q8r-m5vj","publishedAt":"2026-05-14T14:52:24.000Z","cveId":"CVE-2026-42861","cweIds":null,"cvssScore":null,"cvssSeverity":"high","severity":"high","attackType":[],"issueType":"vulnerability","affectedPackages":["flowise@<= 3.1.1 (fixed: 3.1.2)"],"affectedVendors":["LangChain"],"affectedVendorsRaw":["FlowiseAI"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":null,"attackVector":null,"attackComplexity":null,"privilegesRequired":null,"userInteraction":null,"exploitMaturity":"unknown","epssScore":0,"patchAvailable":true,"disclosureDate":"2026-05-14T14:52:24.000Z","capecIds":null,"crossRefCount":0,"attackSophistication":"trivial","impactType":["integrity","confidentiality"],"aiComponentTargeted":"api","llmSpecific":false,"classifierConfidence":0.85,"researchCategory":null,"atlasIds":null}}